Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

A Day To Forget For Teen At Center Of TweetDeck Shutdown

An Austrian teen at the center of yesterday’s TweetDeck security incident explains how things went wrong and what the last 24 hours have been like.

The last 24 hours have been a sad, scary and frustrating time for an 19-year-old aspiring programmer in Austria who found himself smack in the middle of Wednesday’s TweetDeck mess—all because of a Unicode heart.

Twitter’s real-time account dashboard was taken down for a brief time yesterday before a cross-site scripting vulnerability in the TweetDeck Chrome plug-in was properly addressed. But not before code exploiting the bug in a benign manner spread to Twitter users worldwide.

Ground zero for the incident was the Austrian teen who identified himself only as Florian to Threatpost. The youngster said things began yesterday when he tweeted out an HTML hearts symbol (&hearts) that was graphically displayed in the message.

“TweetDeck is not supposed to display this as an image, because it’s simple text, which should be escaped to “&amp;hearts;,” he said.

The message in fact displayed two hearts, indicating that the Unicode heart was preventing TweetDeck from escaping the HTML special character, Florian said. It was executing code automatically and likely was a cross-site scripting vulnerability.

“There were two hearts. One was black (at the position where the “&hearts;” was supposed to be) and one was red (this one was the Unicode-character and got replaced by TweetDeck),” Florian explained. “So I started to play around, and discovered, that the Unicode-heart (which gets replaced with an image by TweetDeck) somehow prevents the Tweet from being HTML-escaped. So I used a Strong HTML tag to verify this. It worked.”

Florian said he wrote a script that displayed a pop-up and then blocked itself to confirm the vulnerability.

“This is called XSS (cross-site-scripting) and is very dangerous,” Florian said. “No web developer should ever make this possible. TweetDeck did.”

@TweetDeck You don’t escape HTML-chars if an unicode-char is in the tweet -text (eg. ♥ ). This allows XSS! <strong>FIX THAT!</strong>

He tweeted what he’d found to TweetDeck, which soon pushed out a fix, asking users to log out of the service and then log back in. The fix did not take, however, prompting TweetDeck to go offline for about an hour until it was resolved.

We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.

“I didn’t know that there is such a big problem. So I experimented with this in a public environment, there was no reason not to do so,” Florian said. “And that was the point where I reported this to TweetDeck.

“TweetDeck actually did not react in any way,” Florian said. “Their next Tweet was saying that there is a security-issue and the users should log in again.”

In the interim, a small worm was written by a Twitter user @derGeruhn that was retweeted automatically by tens of thousands of accounts.

“The last 24 hours? They were ‘unreal’ in a way,” Florian said. The teen spent much of the day defending himself against people calling him a hacker and taking turns applauding and criticizing his actions. “At first it was very annoying because people do not [understand] that I haven’t hacked and shut down TweetDeck, but they did themselves.”

Cross-site scripting is one of the most common and dangerous web application vulnerabilities, putting users at risk for serious compromises. In the case of the TweetDeck exploit, an attacker could take over a user’s account, post or delete tweets or deface the account.

Cross-site scripting occurs when attackers are able to inject code into webpages or web-based services that can automatically be executed by a user’s browser. Hackers successfully executing a cross-site scripting attack can remotely inject code client-side, leading to data loss or service interruption.

“This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet,” said Trey Ford, global security strategist at Rapid7 yesterday in a statement. “The current attack we’re seeing is a ‘worm’ that self-replicates by creating malicious tweets.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.